Tomorrow (Wednesday 18^th Jan 2012)  Wikipedia will black out, friends will not Tweet and I am sure other activities will occur to protest for Stop Online Piracy Act (SOPA) in the US.

This post is not about why I support but more of a reflection about action.  I have never been able to strike or stop work as I have been self employed or in growth companies for just about my entire working career. But I now have the choice to make my view known.  Many of us watched in awe as several counties used the Internet to bring about regime change and have enjoyed free services in exchange for our data and advertising.

It feels good that we can now raise a peaceful protest and have a voice, but how did we get to this point?  I am left wondering how it is that the US even got as far as they did with the proposals and who’s voice is the true voice Government listens to until we protest.  Why is it that we protest late and not early?

Within the EU we are facing the same issue with policy and proposals being introduced from Viviane Reading that appear to be backed by those who have an old model to protect and want the state (law) to do something that the senior execs failed to do.

Issues that we should be engaged in include: Tracking, Nymwars, security, location, GPS, privacy, DoNot Track, Government Data, storage and protection of data, citizenship, rights and access to name a few.  If only there was enough time….

Therefore, I can see someone coming up with a new CAPTCHA style idea, See this TED talk, where at the joining stage of a service ( or usage) we get to voice a vote about something – massive scale online collaboration to bring about change rather than a day of protest a continual stream of consciousness from the voter? 

A "COPYRIGHT INFRINGEMENT AND ENFORCEMENT IN THE US" study has found that we appeared to be prepared to pay for online content ......

The American Assemble survey, a respected think-tank, shows that illegal file sharing among family and friends is relatively common – but that people would prefer to use a legal alternative if one was available at the right price and usage point.

Preliminary Conclusions

“PIRACY” IS COMMON. SOME 46% OF ADULTS HAVE BOUGHT, COPIED, OR DOWNLOADED UNAUTHORIZED MUSIC, TV SHOWS OR MOVIES. THESE PRACTICES CORRELATE STRONGLY WITH YOUTH AND MODERATELY WITH HIGHER INCOMES. AMONG 18-29 YEAR OLDS, 70% HAVE ACQUIRED MUSIC OR VIDEO FILES THIS WAY.

· LARGE-SCALE DIGITAL PIRACY IS RARE, LIMITED TO 2% OF ADULTS FOR MUSIC (>1000 MUSIC FILES IN COLLECTION AND MOST OR ALL COPIED OR DOWNLOADED FOR FREE) AND 1% FOR FILM (>100 FILES, MOST OR ALL FROM COPYING OR DOWNLOADING).

· LEGAL MEDIA SERVICES CAN DISPLACE PIRACY. OF THE 30% OF AMERICANS WHO HAVE ‘PIRATED’ DIGITAL MUSIC FILES, 46% INDICATED THAT THEY NOW DO SO LESS BECAUSE OF THE EMERGENCE OF LOW-COST LEGAL STREAMING SERVICES. AMONG TV/MOVIE PIRATES, 40%.

· COPYRIGHT INFRINGEMENT AMONG FAMILY AND FRIENDS IS WIDELY ACCEPTED (75% AND 56%, RESPECTIVELY, FOR MUSIC; 70% AND 54% FOR FILM). IN CONTRAST, ACTIVITIES THAT IMPLY DISSEMINATION OF COPYRIGHTED GOODS TO LARGER NETWORKS RECEIVE VERY LOW LEVELS OF SUPPORT.

 · ONLY A SLIM MAJORITY OF AMERICANS (52%) SUPPORT PENALTIES FOR DOWNLOADING COPYRIGHTED MUSIC AND MOVIES—AND LIMIT THIS SUPPORT TO WARNINGS AND FINES. OTHER PENALTIES, SUCH AS BANDWIDTH THROTTLING AND DISCONNECTION, RECEIVE MUCH LOWER LEVELS OF SUPPORT.

· DISCONNECTION FROM THE INTERNET, IN PARTICULAR, IS VERY UNPOPULAR, WITH ONLY 16% IN FAVOR AND 72% OF AMERICANS OPPOSED.

· AMONG THOSE WHO SUPPORT FINES, 75% SUPPORT AMOUNTS UNDER $100 PER SONG OR MOVIE INFRINGED—HUGELY UNDERSHOOTING THE CURRENT STATUTORY PENALTIES.

· FOR A MAJORITY OF AMERICANS (54%), DUE PROCESS IN SUCH MATTERS REQUIRES A COURT—NOT ADJUDICATION BY PRIVATE COMPANIES.

· SOLID MAJORITIES OF AMERICAN INTERNET USERS OPPOSE COPYRIGHT ENFORCEMENT WHEN IT IS PERCEIVED TO INTRUDE ON PERSONAL RIGHTS AND FREEDOMS. 69% OPPOSE MONITORING OF THEIR INTERNET ACTIVITY FOR THE PURPOSES OF ENFORCEMENT. 57% OPPOSE BLOCKING OR FILTERING BY COMMERCIAL INTERMEDIARIES IF THOSE MEASURES ALSO BLOCK SOME LEGAL CONTENT OR ACTIVITY.

· COMPARABLE MAJORITIES (56%) OPPOSE GOVERNMENT INVOLVEMENT IN “BLOCKING” ACCESS TO INFRINGING MATERIAL. THIS NUMBER INCREASES TO 64% WHEN THE TERM “CENSOR” IS USED.

· BLOCKING AND FILTERING BY COMMERCIAL INTERMEDIARIES SUCH AS ISPS, SOCIAL MEDIA SITES, AND SEARCH ENGINES RECEIVE MAJORITY SUPPORT—UNTIL THE QUESTIONS INCLUDE LIKELY CONSEQUENCES. MAJORITIES OF INTERNET USERS SUPPORT REQUIREMENTS THAT ISPS AND SEARCH ENGINES “BLOCK” INFRINGING MATERIAL (58% FOR ISPS; 53% FOR SEARCH ENGINES). THIS SUPPORT RUNS AS HIGH AS 61% FOR A SOFT REQUIREMENT THAT USER-CONTENT DRIVEN SITES LIKE FACEBOOK “TRY TO SCREEN ALL MATERIAL AND REJECT PIRATED COPIES OF MUSIC AND VIDEOS.” BUT THIS MAJORITY DISAPPEARS WHEN BLOCKING BY ISPS IS CHARACTERIZED AS CENSORSHIP (46% SUPPORT), FALLS FURTHER WHEN ASSOCIATED WITH THE BLOCKING OF LEGAL CONTENT (36% SUPPORT), AND STILL FURTHER WHEN IT IMPLIES SURVEILLANCE OF INTERNET USE (26% SUPPORT).

 · WHICH SCENARIO BEST APPROXIMATES THE STOP ONLINE PIRACY ACT? IN OUR VIEW, ISP BLOCKING THAT ALSO BLOCKS SOME LEGAL CONTENT. IN THIS CASE, INTERNET USERS OPPOSE BLOCKING: 57% TO 36%.

If a trust framework for an digital identity systems is a “certification” program that enables a party who accepts a digital identity credential (relying party) to trust the identity, security, and privacy policies of the party who issues the credential (identity provider) and vice versa.

Then the purpose of the Trust Framework is to define a simple set of principles and rules to which all members of a digital trust network agree so that they may then share identity and personal data with a high degree of confidence that it will be safe and only used as authorized.

Using the Five Principles of the Respect Trust Framework from http://connect.me/c/trust member should be able to agree to uphold these 5 principles when they use services:

But assumes

Only you decide who your personal data is shared with for what purpose

Your data will not being used without your permission

You can always take your data with you and never be “locked in”…..

And therefore Trust needs trust and these need time not certificates….

This is a new (US) study on COPPA policy implications that affect the internet. COPPA, is the U.S. legislation that prompts most major U.S. companies to make their websites 13+. The regulation is currently being reviewed by the Federal Trade Commission

Title: "Why Parents Help Their Children Lie to Facebook About Age: Unintended Consequences of the 'Children's Online Privacy Protection Act'"

Authors: Danah Boyd (Microsoft Research/NYU), Eszter Hargittai (Northwestern), Jason Schultz (UC-Berkeley), and John Palfrey (Harvard)

Topline:

A major new nationwide study released today shows that many parents know that their underage children are on Facebook in violation of the site's restrictions. Parents are often complicit in helping their children join the site. These new data suggest that, by creating a context in which companies choose to restrict access to children, the Children's Online Privacy Protection Act (COPPA), which is currently under review, inadvertently undermines parents' ability to make choices and protect their children's data. This study has significant implications for policy makers, particularly in light of the discussion in Congress and at the Federal Trade Commission about COPPA and other age-based privacy laws. Based on a national sample of 1,007 U.S. parents who have children living with them between the ages of 10-14, this survey conducted July 5-14, 2011 found:

• Although Facebook's minimum age is 13, parents of 13- and 14-year-olds report that, on average, their child joined Facebook at age 12.

• Half (55%) of parents of 12-year-olds report their child has a Facebook account, and most (82%) of these parents knew when their child signed up. Most (76%) also assisted their 12-year old in creating the account.

• A third (36%) of all parents surveyed reported that their child joined Facebook before the age of 13, and two-thirds of them (68%) helped their child create the account.

• Half (53%) of parents surveyed think Facebook has a minimum age and a third (35%) of these parents think that this is a recommendation and not a requirement.

• Most (78%) parents think it is acceptable for their child to violate minimum age restrictions on online services.

The authors argue that these data call into question the efficacy of COPPA. Their findings have important implications for COPPA reform and other age-based legislation, such as the "Do Not Track Kids Act" currently being discussed in Congress:

• COPPA is well intended but has major unintended consequences in terms of encouraging general-purpose websites like Facebook, Skype, and Gmail to limit kids under 13 from accessing educational and social opportunities.

• Age-based restrictions imposed in response to COPPA undermine parental authority and limit parents' freedoms to make choices about what their children do and what information is collected about them.

• As a result of COPPA, lying about one's age has become normal and parents often help children lie. This creates safety and privacy issues.

• Online safety and privacy are of great concern to parents, but most parents do not want solutions that result in age-based restrictions for their children.

• Parents are open to recommended age ratings and other approaches that offer guidance without limiting their children's access.

The implications of this study go beyond issues of governance. The age restrictions engendered by COPPA have serious implications for parenting, education, and issues surrounding children's rights.

Full article: http://bit.ly/ParentSurveyCOPPA

danah's blog post: http://bit.ly/tgKZrE

Huffington Post op-ed: http://huff.to/rVocz5

CNet Coverage: http://cnet.co/tnNPw1

October 2011

CDT released a paper on Data Retention Mandates: A Threat to Privacy, Free Expression, and Business Development.

Data retention is an Internet policy and human rights issue that has arisen throughout the world, from Argentina to South Africa, from the US and Europe to South Korea. These policies are often driven by law enforcement dissatisfaction with the amount of information that service providers collect and retain in the ordinary course of business.  In response, governments have imposed or considered legal mandates requiring service providers to retain certain data about all of their users for specified periods of time, even when that data no longer is needed for a business purpose, and even where only some users are suspected of wrongdoing. Generally, under these data retention mandates, the data must be collected and stored in a manner such that it is linked to users' names or other identification information. Government officials may then request access to this data, pursuant to the laws of their respective countries -- with varying degrees of protection against undue government intrusion.  
This paper offers an introduction to the issue of data retention and the different variables that may be present in a data retention mandate. It presents an evaluation of the risks to privacy, free expression, competition, and innovation that are raised by data retention mandates and provides examples of data retention laws from around the world and the challenges and concerns raised by these laws.

CDT paper is here http://cdt.org/files/pdfs/CDT_Data_Retention_Paper.pdf

Comment : Personally I agree, storing data is great if you can protect it and keep it upto date, but the more you store the higher the cost of storage (and management) and the more waste there is..... Stop storing data, store insights and output from analysis not the RAW stuff.  

CDT joined in a "friend of the court" brief filed at the U.S. Supreme Court in what could be one of the major Fourth Amendment cases of the decade, U.S. v. Jones, which poses the question of whether the police can plant a GPS device on a person's car for 24/7 tracking without judicial oversight.

The brief says: The issue before the Court in this case is not whether GPS tracking ever may be used by the government. Rather, it is whether the government must obtain a warrant in order to employ this technology.

CDT's brief was filed jointly with our frequent partner in Fourth Amendment cases, the Electronic Frontier Foundation.  Several things make the brief special.  First, it is also signed by four technologists, whose expertise lends special credibility to the brief.  Moreover, one of the four is Roger Easton, often called the father of GPS for his groundbreaking work at the Naval Research Laboratory.  The other three represent the current generation of experts on networking, mobility and security: Andrew Blumberg of the University of Texas, Norman Sadeh of Carnegie Mellon, and Matt Blaze (who broke the Clipper chip) of the University of Pennsylvania.

And, the brief was written by Andy Pincus, a former Assistant to the Solicitor General of the United States and one of the leading Supreme Court advocates today.

True to CDT's approach to tech policy issues, half of the brief focuses on the technology of GPS, half on showing how that technology interfaces with legal precedent.  Our main point is that GPS technology is fundamentally different from the "bumper beepers" whose use the Supreme Court ruled in 1983 was not covered by the Constitution's search and seizure clause.  GPS, in contrast, is so different from human observation and generates such precise and pervasive data that it violates the average person's reasonable expectation of privacy, even on the public streets.

For example, the brief notes that: As receivers shrink in size, it will be possible to install them in a person’s clothing… the government would be able to use the technology to track the movements of large numbers of individuals even more directly and precisely than through the attachment of a GPS receiver to a vehicle.

Oral argument in the case is scheduled for November 8.  The Court may not rule on the case until next year.

Via Olswang

The Information Commissioner's Office has published guidance to give businesses a "starting point for compliance" with new rules requiring opt-in consent to the use of cookies. The new UK legislation comes into force on 26 May. The Government continues to work with browser manufacturers on a browser-based solution, but the ICO stresses that businesses do need to take compliance steps now, not simply wait and see.

The new rules and ICO guidance: what three steps should businesses take now?

The background to these changes will now be familiar to many of our readers - but for a quick recap please see our April 2011 update here. In short, the obligation on websites using cookies is being "upped" from a requirement for clear and comprehensive information about cookie use (and the opportunity to refuse cookies) to a requirement for opt-in consent.

The new rules are set out in Regulation 6 of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 which amend the 2003 "PEC Regulations". As expected, the new regulations simply copy out the underlying EU Directive (although they do specifically allude to browser settings as one potential means of obtaining consent).

The ICO published its 9 page guidance on 8 May. In short, it advises businesses to:

• review what types of cookies their websites use and for what purposes;
• assess how intrusive such cookies are; and
• decide which options for obtaining consent will be appropriate for their websites and the different cookies used.

The guidance goes a little further than expected in stressing that businesses should not simply be waiting for a browser-based solution to emerge, but considering and implementing alternative methods of obtaining users' consent.

The overriding message is, as ever, transparency. The guidance suggests providing lists of cookies used and how they work, to enable users to make an informed choice; it suggests suitably prominent text in the footer or header of the website when cookies are set on the user's device. It also recommends a spring clean to get rid of unnecessary/ obsolete cookies. The more intrusive a particular cookie, the greater the compliance effort required to make it transparent and to obtain users' consent to it.

What are the alternative methods of obtaining informed consent to cookies?

The guidance emphasises that - even when a browser solution does emerge - it may not be appropriate in every case. For example, users may not have the most up to date versions of the browser, and a website's use of cookies will in any event need to be considered on a case by case basis. The guide briefly considers the pros and cons of the following alternative methods of informing users about privacy choices and obtaining the requisite consent:

• pop ups and splash pages;
• using a tick box to terms and conditions (not simply informing users via a privacy policy);
• settings-led consent; and
• feature-led consent.

The guidance also emphasises that the opt-in rules also apply in the more complex scenario involving third party cookies, and that "everyone has a part to play" in ensuring compliance whilst unfortunately giving little help as to how to deal with them in this situation. This is disappointing, since this is the precise area where guidance is needed.

If I do nothing, what is the risk of enforcement action?

Despite the fact that the UK is still working on practical compliance solutions, businesses do need to take certain steps now to avoid user complaints and potential enforcement action by the ICO once the rules come into force on 26 May. In its guidance the ICO states that, although the UK is taking a phased approach to implementation of the new rules, in the event of a complaint about a website the ICO "would expect an organisation's response to set out how they have considered the points above [i.e. the three bullet points in our first paragraph] and to have a realistic plan to achieve compliance". A further guidance document on the ICO's approach to enforcement which will give more details is still pending.

What else should my business be doing in relation to cookies?

The three steps described above are seen by the ICO as being "a starting point" on the "road to compliance". We recommend that businesses also need to:

• ensure their privacy policies reflect their current use of cookies;
• keep an eye out for future ICO enforcement guidance; and
• keep an eye out for any future browser based solutions and evaluate whether such methods are legally adequate and commercially workable means¦nbsp; to achieve users' consent in the context of their particular website.

What else is new?

While the cookie rules apply to all online businesses, the new Regulations also introduce new data breach notification requirements specific to the electronic communications sector. The EU has made it clear that in the future it plans to extend rules on reporting data breaches to all organisations, although it at this stage it is not clear when.

The ICO's guidance "Changes to the rules on using cookies and similar technologies for storing information" is available on the ICO's website.

To discuss the impact of this issue on your business, please Olswang's Head of Data Protection Marc Dautlich marc.dautlich@olswang.com, Legal Director Elle Todd elle.todd@olswang.com or another member of Olswang's Data Protection Team. See also www.datonomy.eu.

Another European Union privacy group has published a document with recommendations about location privacy the problem is that it will inform those who are influential in the EU but not really understanding the wider implications and unintended consequences. The paper is published by "Article 29 Data Protection Working Party", which is part of the justice division of the EU, and is formed by a representative in charge of data protection (privacy) in each EU member state. When the Article 29 group puts out an opinion, its recommendations can be followed by either individual EU states or the EU itself and they did set limits on how long search engines should be retaining their search data. 

The recommendations aren’t law but they do appear to go far above and beyond what's been discussed so far in the U.S. just as Google,  Apple, Sony and Nintendo are being interrogated about their policies when it comes to user data its use and ownership.

The key recommendations are:

• Location information is sensitive data and service providers that use the data should obtain “prior informed consent.”
• The consent should be specific; it can’t be obtained through “general terms and conditions.” Does the service aspire to help a smartphone user determine the answer to the question: “Where am I right now?” Or is the purpose to determine “Where are you, where have you been, and where will you be next week?” Either way, the user should give specific consent for the service she is using. If the purpose of the data use changes, consent must be obtained again.
• Users should be “continuously warned” when their location data is being used, in order to prevent “secret monitoring.”  Consenting to a one-off service doesn’t mean a user has consented to a “regular subscription.”
• Consent should be renewed after an appropriate period of time. “For instance, it would not be in order to continue to process location data where an individual had not actively used the service within the previous 12 months,” states the opinion.
• Users must be able to withdraw their data, “without any negative consequences for the use of their device.” They should also be able to “access, rectify and erase possible profiles based on these location data.”
• Obtaining consent is “problematic” with regard to employees and to children. Employers must be limited in any use of smartphones to track employees. “The employer must always seek the least intrusive means, [and] avoid continuous monitoring.” Employers should investigate whether it is “demonstrably necessary to supervise the exact locations of an employee.” In any case, employees must be able to turn off monitoring devices outside work hours and should be shown how to do so, the report states. 

There is always a balance between usability and security and there is always a trade off between free and paid and we must protect the naive from the dangerous. But why is it fair to put higher barriers for one type of trade?